CVE-2025-31650

Denial of Service
Affects
Apache Tomcat
in
Apache Tomcat
No items found.
Versions
>=9.0.76 <9.0.104, >=10.1.10 <10.1.40, >=11.0.0-M2 <11.0.6
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications. 

A Denial of Service (DoS) vulnerability (CVE-2025-31650) has been identified in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers can result in a memory leak. In large quantities, these memory leaks can result in an overall OutOfMemoryException and a denial of service. 

The Open Web Application Security Project (OWASP) explains that Denial of Service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.” In this case the attacker can cause the server to run out of memory and become unable to function.

This issue affects multiple versions of Apache Tomcat below 11.0.6.

Details

Module Info

  • Product: Apache Tomcat
  • Affected packages: tomcat-embed-core, tomcat-coyote
  • Affected versions: >=9.0.76 <9.0.104, >=10.1.10 <10.1.40, >=11.0.0-M2 <11.0.6
  • GitHub repository: https://github.com/apache/tomcat
  • Package manager: Maven
  • Fixed in: NES 8.5.101, 9.0.104, 10.1.40, and 11.0.6

Vulnerability Info

An attacker can exploit a vulnerable Apache Tomcat server by sending a large number of requests with invalid HTTP priority headers. Each failed request will result in a memory leak and eventually the server will run out of available memory and will be unable to respond to requests.

Mitigation

Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Apache Tomcat.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • Tomcat security team

Vulnerability Details
ID
CVE-2025-31650
PROJECT Affected
Apache Tomcat
Versions Affected
>=9.0.76 <9.0.104, >=10.1.10 <10.1.40, >=11.0.0-M2 <11.0.6
Published date
July 30, 2025
≈ Fix date
March 1, 2025
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
NES for Apache Tomcat
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.